Hi, I'm a customer using your template package for ISO 27001.
Quick question for the experts:
I've read this thread in the community (https://community.advisera.com/topic/control-objectives-in-the-statement-of-applicability) but I'm still having some difficulties.
We're a very small organization with a scope of 3-4 persons. We've never had a security incident. I know that you've added the "Control objective" column to make it practically easier, but I start to wonder if we should completely remove the column. The only control objective I can think of is "We want to continue having 0 (zero) security incidents". And sure, I can put in "We want to have zero security incidents due to (insert e.g., lack of patching, poorly managed access rights etc.)
Currently, I've written the same thing in almost every control (formulated as a question though):
- Has any incidents occurred due to failed control with access rights?
- Has any incidents occurred due to the lack of security measures in the transfer of physical media?
I cannot figure out how to diversify it. Can I completely ignore the control objective column and then just go by "We want to keep having zero security incidents. If we register any - how many? And due to what?" and then look to the weakness.